BlackCat, as is common these days, uses a double extortion routine where the data is exfiltrated while being encrypted. This move was designed to reduce the effectiveness of restoring from a backup. Also depending on the “professionalism” of the group could be a way to get extra money out of the target. BlackCat appears to make use of already compromised environments. This means they either have their own Initial Access team, or they work closely with IAB groups already in play.
In the analysis of the most recent upgrade, researchers have seen indications of new techniques to evade detection via junk sections of code, encrypted strings, and changed to command line arguments used during the installation. These are common along with protections against normal static analysis. The installer contains a loader which can decrypt the payload, execute the exfiltration routine, delete shadow copies, and hunt for other targets in the infected systems subnet. This latter is done via a series of network discovery calls launched by the loader. All this while encrypting your data with a final move of dropping the ransom note.
Cybercrime is a big money-making industry. Although many of these groups may have started out as individual threat groups with their own targets and internal agendas, the largest of them have found they can make just as much, if not more than they did before by offering their tools as a service. This industrialization of cybercrime has led to a very different threat landscape and one that can compete head-to-head with most modern businesses. It is why we see properly signed malware and other tools with a unique code signing certificate instead of ones stollen in other breaches. The move from disorganized groups to this professional class is also why we see a faster development cycle in malware payloads, especially ransomware. Many of these groups actually have better secure development lifecycle programs that more legitimate business (which is just sad).
Modern organizations are at a serious disadvantage here. They are still fighting the last battle with individual groups, not large corporations with good funding and dedicated development teams. This means many organizations are leaving themselves open to these new attacks and at a time when security teams are being cut to save money or reduced to push a return-to-work policy. It is going to get messy in the next few months and the bad guys are not just one step ahead, they are many steps ahead.